Work and Income office bungles privacy breach followup

FIRST it was ACC – now Work and Income has misplaced private information and failed to follow its own policy on dealing with the breach.

A document containing someone else’s personal information was mixed in with the documents handed to another Work and Income client.

The one-page application for financial assistance shows contact details, client number, weekly income and money owed by a benefit recipient living in the same community as the person who received it.

The breach occurred during an interview at the Kapiti Coastlands office last week.

When the client contacted the Work and Income call centre to report the mistake, she was told to destroy it herself.

She said she offered to take the document back to the Work and Income office, but the call centre worker told her there was no need.

When contacted by NewsWire, the beneficiary whose information was mistakenly given out said the breach came as an unpleasant surprise, and she had not been informed of the privacy breach by Work and Income.

“I thought they’d look after my files,” she said. “Them handing out my private document is not what I’d expected.

“I’m quite upset about it, and disturbed that my privacy hasn’t been respected. Because it’s the same office, it could have been someone who knows me.

“My biggest fear is that someone else would use it to commit fraud and I’d get done for it.”

Work and Income head Debbie Power said the department took its responsibility to safeguard client information very seriously.

“Although our contact centre staff member advised that the information should be destroyed, this clearly hasn’t happened.

“Our contact centre staff member didn’t appreciate the seriousness of the situation and she should have. This was wrong.”

She said Work and Income had clear processes for suspected privacy breaches and they were not fully followed in this case.

The department’s privacy breach process had been instigated today.

“We immediately contacted the client who received the information in an effort to secure the information and minimise any impact for the client whose privacy was breached.

“Once we were able to confirm the identity of the client whose privacy had been breached, we contacted them to apologise for any distress caused.

“We have explained that while the mistake occurred because of human error, more care should have been taken and that this has been reinforced with the case manager.”

The Office of the Privacy Commissioner had been advised, she said.

The incident comes in the wake of an independent review into the protection of privacy and information at ACC, after a large information security breach was revealed earlier this year.

After the review’s findings were released last month, Privacy Commissioner Marie Shroff said ACC’s troubles served as a timely warning to similar entities (read more).

“Agencies that hold large amounts of personal information should be taking note of what
has happened at ACC and learn from its mistakes,” Ms Shroff said.

“Many organisations will recognise it could just as easily be them in the headlines.”

Assistant Privacy Commissioner Katrine Evans said today public sector agency policies must ensure continued protection of clients’ privacy after a breach.

“Any major agency that handles huge amounts of personal information is bound to have the odd mistake, but it’s the putting right that counts.”

Mrs Evans said anyone with doubts about the way a disclosure of their private information was being handled could contact the Office of the Privacy Commissioner.

“If the agency itself doesn’t appear to be fixing the problem, people are always welcome to send it on to us.”

Privacy expert Jonathan Forsey, special counsel at law firm Duncan Cotterill, said the incident represented a cavalier approach to personal information in large agencies.

“It’s clearly a breach of the obligations of WINZ under the Privacy Act, both in terms of safeguarding information they hold, and in terms of informing the provider of information that it’s been disclosed to a third party,” Mr Forsey said yesterday.

“Financial information and contact details can readily be used for benefit fraud or identity theft, so it is a significant breach.”

He said an appropriate privacy policy would include both a means of recovering released information and a requirement to inform the person whose privacy had been breached.

“As for the call centre’s response, if it’s WINZ policy then it’s appalling, and if it isn’t then they need to make sure whatever policy they do have in place is immediately refreshed to all staff so it is properly implemented.”

Mr Forsey said the incident highlighted the particular need of large agencies to remember the humanity of their clients.

“I think it represents the fact that ACC is not alone in having a cavalier approach to personal information. Staff become desensitised to what they’re looking at, so people become numbers.”

Ms Power said even a very small amount of information being released about a client was unacceptable.

“This incident is a disappointing reminder that we must be ever vigilant and ensure our practices when handling client information are impeccable.”

Three Work and Income staff were fired in July after a review into misuse of client information found that nearly one tenth of front-line staff surveyed had breached the department’s own code of conduct in inappropriately accessing information (read more).